[Poppler-bugs] [Bug 30228] New: poppler: use of uninitialized DCTScanInfo dcHuffTable / acHuffTable values

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Thu Sep 16 06:50:31 PDT 2010


https://bugs.freedesktop.org/show_bug.cgi?id=30228

           Summary: poppler: use of uninitialized DCTScanInfo dcHuffTable
                    / acHuffTable values
           Product: poppler
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: minor
          Priority: medium
         Component: general
        AssignedTo: poppler-bugs at lists.freedesktop.org
        ReportedBy: thoger at redhat.com


Due to the way DCTStream::readScanInfo tries to work around problems with some
broken DCT streams, it can leave certain scanInfo.dcHuffTable /
scanInfo.acHuffTable values uninitialized.  These values are later used as
indices to DCTStream's dcHuffTables / acHuffTables arrays.  Bogus values cause
out-of-bounds array access, resulting in invalid DCTHuffTable pointer being
passed to DCTStream::readHuffSym, which can lead to crash.

A fix may ensure that all scanInfo.dcHuffTable / scanInfo.acHuffTable members
are initialized to a safe value (e.g. 0) early in DCTStream::readScanInfo (this
may not be perfect fix, but may be more corrupted-file friendly), or add an
extra check near the end of DCTStream::readScanInfo verifying that all values
are in range.  Upper bound can be either sizeof([ad]cHuffTables), or
num[AD]CHuffTables.  Looking at the DCTStream::readHeader, there does not seem
to be a guarantee that DCTStream::readHuffmanTables is called before
DCTStream::readScanInfo, but it should not be called after.

Note: I do understand this is in the #ifndef ENABLE_LIBJPEG, so not too likely
to be used in current poppler builds.  Feel free to wontfix if the code is
considered dead.

-- 
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.


More information about the Poppler-bugs mailing list